System and method for protecting a computer system from malicious software

ABSTRACT

In a computer system, a first electronic data processor is communicatively coupled to a first memory space and a second memory space. A second electronic data processor is communicatively coupled the second memory space and to a network interface device. The second electronic data processor is capable of exchanging data across a network of one or more computers via the network interface device. A video processor is adapted to combine video data from the first and second electronic data processors and transmit the combined video data to a display terminal for displaying the combined video data in a windowed format. The computer system is configured such that a malware program downloaded from the network and executing on the second electronic data processor is incapable of initiating access to the first memory space.

CROSS REFERENCE TO MULTIPLE REISSUE APPLICATIONS

This is a reissue continuation application of U.S. Reissue patentapplication Ser. No. 12/854,149 filed Aug. 10, 2010 (now, U.S. Pat. No.Re. 43,103), which is a reissue application of U.S. Pat. No. 7,484,247,entitled “System and Method for Protecting a Computer System fromMalicious Software,” issued on Jan. 27, 2009. The following are relatedreissue applications: U.S. patent application Ser. No. 12/720,147 (now,U.S. Pat. No. Re. 43,528) from U.S. Pat. No. 7,484,247, filed on Mar. 9,2010, U.S. patent application Ser. No. 12/720,207 (now, U.S. Pat. No.Re. 43,500) from U.S. Pat. No. 7,484,247, filed on Mar. 9, 2010, andU.S. patent application Ser. No. 12/941,067 (now, U.S. Pat. No. Re.43,529) from U.S. Pat. No. 7,484,247, filed on Nov. 7, 2010. All of theabove applications are incorporated herein by reference.

TECHNICAL FIELD

The present invention relates generally to computer hardware andsoftware, and more particularly to a system and method for protecting acomputer system from malicious software.

CROSS REFERENCE TO RELATED PATENTS AND APPLICATIONS

This application is related to the following U.S. patents andapplications:

U.S. patent or PUB Application Number Title Inventor(s) 5,826,013Polymorphic virus detection module. Nachenberg 5,978,917 Detection andelimination of macro Chi viruses. 6,735,700 Fast virus scanning usingsession Flint, et al stamping. 6,663,000 Validating components of amalware Muttik, et al. scanner. 6,553,377 System and process formaintaining a Eschelbeck, plurality of remote security applications etal. using a modular framework in a distributed computing environment.6,216,112 Method for software distribution and Fuller, et al.compensation with replenishable advertisements. 4,890,098 Flexiblewindow management on a Dawes, et al. computer display. 5,555,364Windowed computer display. Goldstein 5,666,030 Multiple windowgeneration in computer Parson display. 5,995,103 Window groupingmechanism for Ashe creating, manipulating and displaying windows andwindow groups on a display screen of a computer system. 5,502,808 Videographics display system with Goddard, et al. adapter for displaymanagement based upon plural memory sources. 5,280,579 Memory mappedinterface between host Nye computer and graphics system. 5,918,039Method and apparatus for display of Buswell, et al windowing applicationprograms on a terminal. 6,480,198 Multi-function controller and methodfor a Kang computer graphics display system. 6,167,522 Method andapparatus for providing Lee, et al. security for servers executingapplication programs received via a network 6,199,181 Method and systemfor maintaining Rechef, et al. restricted operating environments forapplication programs or operating systems. 6,275,938 Securityenhancement for untrusted Bond, et al. executable code. 6,321,337 Methodand system for protecting Reshef, et al. operations of trusted internalnetworks. 6,351,816 System and method for securing a Mueller, et al.program's execution in a network environment. 6,546,554Browser-independent and automatic Schmidt, et al. apparatus and methodfor receiving, installing and launching applications from a browser on aclient computer. 6,658,573 Protecting resources in a distributedBischof, et al computer system. 6,507,904 Executing isolated modeinstructions in a Ellison, et al. secure system running in privilegerings. 6,633,963 Controlling access to multiple memory Ellison, et al.zones in an isolated execution environment. 6,678,825 Controlling accessto multiple isolated Ellison, et al. memories in an isolated executionenvironment. 5,751,979 Video hardware for protected, McCrorymultiprocessing systems. 6,581,162 Method for securely creating, storingand Angelo, et al. using encryption keys in a computer system. 6,134,661Computer network security device and Topp method. 6,578,140 Personalcomputer having a master Policard computer system and in internetcomputer system and monitoring a condition of said master and internetcomputer systems PUB E-mail software and method and system Jacobs, PaulE., Application # for distributing advertisements to client et al.20040054588 devices that have such e-mail software installed thereon.PUB System and method for comprehensive Mayer, Yaron; Application #general generic protection for computers et al. 20040034794 againstmalicious programs that may steal information and/or cause damages PUBSystem and method for providing security Skrepetos, Application # to aremote computer over a network Nicholas C. 20040006715 browserinterface. PUB Virus protection in an internet Samman, Ben Application #environment. 20030177397 PUB System and method for protecting Pham,Khai; Application # computer users from web sites hosting et al.20030097591 computer viruses. PUB Malware infection suppression.Hinchliffe, Application # Alexander 20030023857 James; et al. PUB Accesscontrol for computers. Riordan, James Application # 20020066016 PUBDetecting malicious alteration of stored Wolff, Daniel Application #computer files. Joseph; et al. 20020174349

The above-listed U.S. Patents and U.S. patent applications areincorporated by reference as if reproduced herein in their entirety.

BACKGROUND

The very popular and ubiquitous rise of the ‘personal’ computer systemas an essential business tool and home appliance, together with theexponential growth of the Internet as a means of providing informationflows across a wide variety of connected computing devices, has changedthe way people live and work. Information in the form of data files andexecutable software programs regularly flows across the planetary widesystem of interconnected computers and data storage devices.

Popular and ubiquitous computer hardware and software architectures havetypically been designed to allow for open interconnection via, forexample, the internet, a VPN, a LAN, or a WAN, with information oftencapable of being freely shared between the interconnected computers.This open interconnection architecture has contributed to the adoptionand mainstream usage of these computers and the subsequentinterconnection of vast networks of computers. This easy to use systemhas given rise to the explosive popularity of applications such asemail, internet browsing, search engines, interactive gaming, instantmessaging, and many, many more.

Although there are definite benefits to this open interconnectionarchitecture, a lack of security against unwanted incursions into thecomputers main processing and non-volatile memory space has emerged as asignificant problem. An aspect of some current computer architecturesthat has contributed to the security problem is that by default programsare typically allowed to interact with and/or alter other programs anddata files, including critical operating system files, such as thewindows registry, for example. Current open interconnectionarchitectures have opened the door to a new class of unwanted malicioussoftware generally known a malware. This malware is capable ofinfiltrating any computer system which is connected to a network ofinterconnected computer systems. Malware is comprised of, but notlimited to, classes of software files known as viruses, worms, Trojanhorses, browser hijackers, adware, spyware, pop-up windows, data miners,etc. Such malware attacks are capable of stealing data by sending userkeystrokes or information stored on a user's computer back to a host,changing data or destroying data on personal computers and/or serversand/or other computerized devices, especially through the Internet. Inthe least, these items represent a nuisance that interferes with thesmooth operation of the computer system, and in the extreme, can lead tothe unauthorized disclosure of confidential information stored on thecomputer system, significant degradation of computer system performance,or the complete collapse of computer system function.

Malware has recently become much more sophisticated and much moredifficult for users to deal with. Once resident on a computer system,many malware programs are designed to protect themselves from deletion.For example, some malware programs comprise a pair of programs runningsimultaneously, with each program monitoring the other for deletion. Ifone of the pair of programs is deleted, the other program installs areplacement within milliseconds. In another example, some malware willrun as a Windows program with a .dlls extension, which Windows may notallow a user to delete while it is executing. Malware may also reset auser's browser home page, change browser settings, or hijack searchrequests and direct such requests to another page or search engine.Further, the malware is often designed to defeat the user's attempts toreset the browser settings to their original values. In another example,some malware programs secretly record user input commands (such askeystrokes), then send the information back to a host computer. Thistype of malware is capable of stealing important user information, suchas passwords, credit account numbers, etc.

Many existing computers rely on a special set of instructions whichdefine an operating system (O/S) in order to provide an interface forcomputer programs and computer components such as the computer's memoryand central processing unit (CPU). Many current operating systems have amulti-tasking capability which allows multiple computer programs to runsimultaneously, with each program not having to wait for termination ofanother in order to execute instructions. Multi-tasking O/S's allowprograms to execute simultaneously by allowing programs to shareresources with other programs. For example, an operating system runningmultiple programs executing at the same time allows the programs toshare the computer's CPU time. Programs which run on the same system,even if not simultaneously with other programs, share space on the samenonvolatile memory storage medium. Programs which are executingsimultaneously are presently able to place binaries and data in the samephysical memory at the same time, limited to a certain degree by the O/Srestrictions and policy, to the extent that these are properlyimplemented. Memory segments are shared by programs being serviced bythe O/S, in the same manner. O/S resources, such as threads, processtables and memory segments, are shared by programs executingsimultaneously as well.

While allowing programs to share resources has many benefits, there areresulting security related ramifications, particularly regarding malwareprograms. Security problems include allowing the malware program: tocapitalize CPU time, leaving other programs with little or no CPU time;to read, forge, write, delete or otherwise corrupt files created byother programs; to read, forge, write, delete or otherwise corruptexecutable files of other programs, including the O/S itself; and toread and write memory locations used by other programs to thus corruptexecution of those programs.

In the case of a computer connected to the Internet, the computer mayrun an O/S, with several user applications, together comprising a knownand trusted set of programs, concurrently with an Internet browser,possibly requiring the execution of downloaded code, such as Javaapplets, or EXE/COM executables, with the latter programs possiblycontaining malware. Many security features and products are being builtby software manufacturers and by O/S programmers to prevent malwareinfiltrations from taking place, and to ensure the correct level ofisolation between programs. Among these are architectural solutions suchas rings-of-protection in which different trust levels are assigned tomemory portions and tasks, paging which includes mapping of logicalmemory into physical portions or pages, allowing different tasks to havedifferent mapping, with the pages having different trust levels, andsegmentation which involves mapping logical memory into logical portionsor segments, each segment having its own trust level wherein each taskmay reference a different set of segments. Since the sharingcapabilities using traditional operating systems are extensive, so arethe security features. However, the more complex the security mechanismis, the more options a malware practitioner has to bypass the securityand to hack or corrupt other programs or the O/S itself, sometimes usingthese very features that allow sharing and communication betweenprograms to do so.

Further, regarding malware programs, for virtually every softwaresecurity mechanism, a malware practitioner has found a way to subvert,or hack around, the security system, allowing a malware program to causeharm to other programs in the shared environment. This includes everyoperating system and even the Java language, which was designed tocreate a standard interface, or sandbox, for Internet downloadableprograms or applets.

Major vulnerabilities of existing computer systems lies in thearchitectures of the computer system and of the operating system itself.A typical multi-tasking O/S environment includes an O/S kernel loaded inthe computer random access memory (RAM) at start-up of the computer. TheO/S kernel is a minimal set of instructions which loads and off-loadsresources and resource vectors into RAM as called upon by individualprograms executing on the computer. Sometimes, when two or moreexecuting programs require the same resource, such as printer output,for example, the O/S kernel leaves the resource loaded in RAM until allprograms have finished with that resource. Other resources, such as diskread and write, are left in RAM while the operating system is runningbecause such resources are more often used than others. The inherentproblem with existing architectures is that resources, such as RAM, or ahard disk, are shared by programs simultaneously, giving a malwareprogram a conduit to access and corrupt other programs, or the O/Sitself through the shared resource. Furthermore, as many applicationprograms are of a general nature, many features are enabled by defaultor by the O/S, thus in many cases bypassing the O/S security mechanism.Such is the case when a device driver or daemon is run by the O/S inkernel mode, which enables it unrestricted access to many if not all theresources.

The most common state-of the-art solutions for preventing malwareinfiltration are software based, such as blockers, sweepers andfirewalls, for example, and hardware based solutions such asrouter/firewalls. Examples of software designed to counter malware areNorton Systems Works, distributed by the Symantec Corporation, Ad-aware,distributed by the Lavasoft Corporation of Sweeden, Spy Sweeper,distributed by the Webroot Software Corporation, Spyware Guard,distributed by Javacool Software LLC, among others. Currently there area plethora of freeware, shareware and purchased software programsdesigned to counter malware by a variety of means. Such anti-malwareprograms are limited because they can only detect known malware that hasalready been identified (usually after the malware has already attackedone or more computers).

Network firewalls are typically based on packet filtering, which islimited in principle, since the rules determining which packets toaccept and which to reject may contain subjective decisions based ontrusting known sites or known applications. However, once security isbreached for any reason (for example, due to a software or hardwareerror, a new piece of malware unrecognized by the anti-malware programor firewall, or an intended deception), a malicious application may takeover the computer or server or possibly the entire network and createunlimited damages (directly or indirectly by opening the door toadditional malicious applications).

The methods in the prior art are typically comprised of embeddedsoftware countermeasures that detect and filter unwanted intrusions inreal time, or scan the computer system either at the direction of a useror as a scheduled event. Two problems arise from these methods. In thefirst instance, a comprehensive scan, detect, and elimination of malwarefrom desired incoming data streams could significantly slow or precludethe interactive nature of many applications such a gaming, messaging,and browsing. In the second instance, newly implemented software screensmay be quickly circumvented by malware practitioners who are determinedto pass their files through the screen. Newly discovered malware leadsto the development of additional screens, which lead to more malware,etc., thus creating an escalating cycle of measure, countermeasure. Thebasic flaw is that all incoming executable data files must be residenton the computers main processor to perform their desired function. Onceresident on that processor, access may be gained to non-volatile memoryand other basic computer system elements. Malware exploits this keyarchitectural flaw to infiltrate and compromise computer systems.

The majority of these applications rely upon a scanning engine whichsearches suspect files for the presence of predetermined malwaresignatures. These signatures are held in a database which must beconstantly updated to reflect the most recently identified malware.Typically, users regularly download replacement databases, either overthe Internet, from a received e-mail, or from a CDROM or floppy disc.Users are also expected to update their software engines every so oftenin order to take advantage of new virus detection techniques (e.g. whichmay be required when a new strain of malware is detected).

Many of the aforementioned applications are also not effective againstsecurity holes, for example, in browsers or e-mail programs, or in theoperating system itself. Security holes in critical applications arediscovered quite often, and just keeping up with all the patches iscumbersome. Also, without proper generic protection against, forexample, Trojan horses, even VPNs (Virtual Private Networks) and otherforms of data encryption, including digital signatures, are not totallysafe because information can be stolen before or below the encryptionlayer. Even personal firewalls are typically limited, because once aprogram is allowed to access the Internet, there are often fewlimitations on what files may be accessed and transmitted back to ahost.

A major problem faced by computer users connected to a network is thatthe network interface program (a browser, for example) is resident onthe same processor as the O/S and other trusted programs, and sharesspace on a common memory storage medium. Even with security designedinto the O/S, malware practitioners have demonstrated great skill incircumventing software security measures to create malware capable ofcorrupting critical files on the shared memory storage medium. When thishappens, users are often faced with a lengthy process of restoring theircomputer systems to the correct configuration, and often important filesare simply lost because no backup exists.

Therefore, what is needed in the art is a means of isolating the networkinterface program from the main computer system such that the networkinterface program does not share a common memory storage area with othertrusted programs. The network interface program may be advantageouslygiven access to a separate, protected memory area, while being unable toinitiate access to the main computer's memory storage area. With thenetwork interface program constrained in this way, malware programs arerendered unable to automatically corrupt critical system and user fileslocated on the main memory storage area. If a malware infection occurs,a user would be able to completely clean the malware infection from thecomputer using a variety of methods. A user could simply delete allfiles contained in the protected memory area, and restore them from animage residing on the main memory area, for example.

Other discussions of malware, its effects on computer systems,techniques used by malware practitioners to install malware, andtechniques for detection and removal, may be found in the publishedliterature, and in some of the patents and applications previouslyincorporated by reference. Reference to malware may be found in atechnical white paper entitled “Spyware, Adware, and Peer-to-PeerNetworks: The Hidden Threat to Corporate Security.”, by Kevin Townsend,© Pest Patrol Inc. 2003. Pest Patrol is a Carlisle; Pa. based developerof software security tools. Another reference is a technical white paperentitled “Beyond Viruses: Why anti-virus software is no longer enough.”by David Stang, PhD, © Pest Patrol Inc. 2002. Yet another reference is“The Web: Threat or Menace?” from “Firewalls and Internet Security:Repelling the Wily Hacker”, Second Edition, Addison-Wesley. ISBN0-201-63466-X, Copyright 2003. The foregoing references are incorporatedby reference as if reproduced herein in their entirety.

SUMMARY OF THE INVENTION

Embodiments of the present invention achieve technical advantages as asystem and method for protecting a computer system from malicioussoftware attacks via a network connection.

It is an object of the present invention to provide a computer systemcapable of preventing malware programs from automatically corruptingcritical user and system files.

It is another object of the present invention to confine any malwareinfection that may occur to a separate, protected part of the computersystem.

It is another object of the present invention to provide a user with aneasy and comprehensive method of removing the malware infection, even ifthe user's anti-malware software is incapable of detecting and/orremoving the malware infection.

It is another object of the present invention to provide a user with aneasy and comprehensive method of restoring critical system and userfiles that may have been corrupted by a malware infection.

It is another object of the present invention to provide a computersystem configured such that attempts by malware to record and reportdata entry by the computer user via input devices such as keyboards,mouse clicks, microphones, or any other data input devices areeffectively blocked.

It is another object of the present invention to provide a computersystem capable of executing instructions in a first logical process,wherein the first logical process is capable of accessing data containedin a first memory space and a second memory space.

It is another object of the present invention to provide a computersystem capable of executing instructions in a second logical process,wherein the second logical process is capable of accessing datacontained in the second memory space, the second logical process beingfurther capable of exchanging data across a network of one or morecomputers.

It is another object of the present invention to provide a computersystem capable of displaying, in a windowed format on a displayterminal, data from the first logical process and the second logicalprocess, wherein a video processor is adapted to combine data from thefirst and second logical processes and transmit the combined data to thedisplay terminal

It is another object of the present invention to provide a computersystem configured such that a malware program downloaded from thenetwork and executing as part of the second logical process is incapableof initiating access to the first memory space.

It is another object of the present invention to provide a computersystem configured such that corrupted data files residing on the secondmemory space may be restored from an image residing on the first memoryspace.

It is another object of the present invention to provide a computersystem configured such that data files residing on the second memoryspace may be automatically deleted when the second logical process isterminated.

It is another object of the present invention to provide a computersystem configured such that the second electronic data processor and thevideo processor are co-located on a circuit card, the circuit card beingcommunicatively coupled to the first electronic data processor.

These objects and other advantages are provided by a preferredembodiment of the present invention wherein a computer system comprisinga first electronic data processor is communicatively coupled to a firstmemory space and to a second memory space, a second electronic dataprocessor is communicatively coupled to the second memory space and to anetwork interface device, wherein the second electronic data processoris capable of exchanging data across a network of one or more computersvia the network interface device, a video processor is adapted tocombine video data from the first and second electronic data processorsand transmit the combined video data to a display terminal fordisplaying the combined video data in a windowed format, wherein thecomputer system is configured such that a malware program downloadedfrom the network and executing on the second electronic data processoris incapable of initiating access to the first memory space.

TERM DESCRIPTION

Memory—This term is intended to broadly encompass any device capable ofstoring and/or incorporating computer readable code for instantiatingthe client device referred to immediately above. Thus, the termencompasses all types of recording medium, e.g., a CD-ROM, a disk drive(hard or soft), magnetic tape, and recording devices, e.g., memorydevices including DRAM, SRAM, EEPROM, FRAM, and Flash memory. It shouldbe noted that the term is intended to include any type of device whichcould be deemed persistent storage. To the extent that an ApplicationSpecific Integrated Circuit (ASIC) can be considered to incorporateinstructions for instantiating a client device, an ASIC is alsoconsidered to be within the scope of the term “memory.”

BRIEF DESCRIPTION OF THE DRAWINGS

For a more complete understanding of the present invention, and theadvantages thereof, reference is now made to the following descriptionstaken in conjunction with the accompanying drawings, in which:

FIG. 1 illustrates a preferred embodiment of an exemplary computersystem according to the principles of the present invention;

FIG. 2 illustrates a preferred embodiment of an exemplary protectedprocess flow according to the principles of the present invention;

FIG. 3 illustrates a preferred embodiment of an exemplary file downloadprocess according to the principles of the present invention;

FIG. 4 illustrates a preferred embodiment of an exemplary memoryrestoration process according to the principles of the presentinvention;

FIG. 5 illustrates a preferred embodiment of an exemplary automaticmemory restoration and cleaning process according to the principles ofthe present invention;

FIG. 6 illustrates a preferred embodiment of an exemplary interactivenetwork process flow according to the principles of the presentinvention;

FIG. 7 illustrates a preferred embodiment of an exemplary computersystem according to the principles of the present invention;

FIG. 8 illustrates a preferred embodiment of an exemplary computersystem according to the principles of the present invention;

FIG. 9 illustrates a preferred embodiment of an exemplary computersystem according to the principles of the present invention;

FIG. 10 illustrates a preferred embodiment of an exemplary protectedprocess flow according to the principles of the present invention.

DETAILED DESCRIPTION OF THE ILLUSTRATED EMBODIMENTS

The making and using of the presently preferred embodiments arediscussed in detail below. It should be appreciated, however, that thepresent invention provides many applicable inventive concepts that canbe embodied in a wide variety of specific contexts. The specificembodiments discussed are merely illustrative of specific ways to makeand use the invention, and do not limit the scope of the invention.

A computer system, constructed in accordance with a preferred embodimentof the present invention, is illustrated in FIG. 1. Computer system 100may represent, for example, a personal computer (PC) system, a server, aportable computer, such as a notebook computer, or any data processingsystem, a personal digital assistant (PDA), a communication device suchas a cell phone, or device that is capable of being connected to anetwork of one or more computers. System 100 comprises a first processor120 (P1) communicatively coupled to a first memory and data storage area110 (M1). P1 100 may comprise, for example, a microprocessor, such as aPentium® 4 processor, manufactured by the Intel Corporation, or a PowerPC® processor, manufactured by the IBM Corporation. Other electronicdata processors manufactured by other companies, including but notlimited to electronic data processors realized in Application SpecificIntegrated Circuits (ASICs) or in Field Programmable Gate Arrays(FP-GAs), are within the spirit and scope of the present invention.

The first memory and data storage area 110 may comprise both volatileand nonvolatile memory devices, such as DRAMs and hard drives,respectively. Any memory structure and/or device capable of beingcommunicatively coupled to P1 may be advantageously used in the presentinvention. M1 may be used to store, for example, critical operatingsystem files, user data and applications, interim results ofcalculations, etc. The many uses of computer memory are well understoodby those skilled in the art, and will not be discussed further here. Onemay refer to several of the aforementioned patents and applicationsincorporated by reference, in addition to other references, for adiscussion of existing computer architectures and uses of computermemory. Also part of system 100 is user interface 150, which maycomprise, for example, a keyboard, mouse or other pointing device,microphone, pen pad, etc. Any device or method capable of inputtingcommands and/or data from a user 160 to computer system 100 may be usedto advantage. A video processor 170 is used to format information fordisplay and transmit the display information to a video display device180, which is viewed by user 160. Video processor 170 typically includesan associated video memory area, which may be dedicated to the videoprocessor, or shared with other resources. It is understood in the artthat the video processor 170 may be part of processor P1 120, in that itmay be integrated onto the microprocessor chip. Video processor 170 mayalso comprise a processor IC located on a video graphics card, which iscommunicatively coupled to a computer motherboard. Additionally, videoprocessor 170 may comprise circuitry located on the computermotherboard. Further still, functions of video processor 170 may besplit between the processor, motherboard, or separate video graphicscard.

It is often desirable to connect computer system 100 to a network of oneor more computer devices 195, such as the Internet, a LAN, WAN, VPN,etc. This connection may be accomplished via network interface device190, which may comprise, for example, a telephone modem, a cable modem,a DSL line, a router, gateway, hub, etc. Any device capable ofinterfacing with the network 195 may be used, via a wired connection, awireless connection, or an optical connection, for example. Networkinterface device 190 may connect to network 195 through one or moreadditional network interface devices (not shown). For example, networkinterface device 190 may comprise a gateway or router, connected to acable modem, with the cable modem connected to network 195. Of course,other configurations are within the spirit and scope of the presentteachings.

In accordance with a preferred embodiment of the present invention,network 195 is isolated from the first processor 120 and memory 110 by asecond processor 140 (P2). Second processor 140 may comprise anyelectronic data processor, such as the devices previously described asapplicable to first processor 120. Communicatively coupled to P2 140 issecond memory and data storage area 130 (M2), which may comprise anymemory device or devices, such as the devices previously described asapplicable to first memory 110.

The architecture of computer system 100 is designed to be capable ofprotecting memory 110 from malware initiated intrusions, and preventingmalware from initiating unwanted processes on first processor 120. Thisis accomplished by using second processor 140 to isolate 110 and 120from network 195. In a preferred embodiment, P2 140 is communicativelycoupled to memory storage area M2 130, and may be configured such thatP2 140 is incapable of initiating access to memory storage area M1 110.For example, P2 140 may be capable of accessing memory storage area M1110 with the strict permission of user 160, either through a real timeinteraction or via stored configuration or commands. Such aconfiguration may be desirable in a multi-core or multi processorsystem, where user 160 may wish to use P2 140 in either a protected modeor an unprotected mode, depending on the application. However, user 160is capable of denying P2 140 the capability of initiating access tomemory storage area M1 110 without the user's permission. P1 120 iscommunicatively coupled to both memory areas M1 110 and M2 130, therebyenabling P1 120 to access data downloaded from the network 195. In thepresently described embodiment, any malware that has intruded the130-140 system is thus confined to the 130-140 system, and may beconfigured to be incapable of automatically corrupting data contained onM1 110, or of automatically initiating an unwanted process on P1 120.

This and other features of the present teachings may be illustrated withreference to the example process flow 200 of FIG. 2. Computer user 160wishes to connect to network 195 via for example, a browser program suchas Internet Explorer or Netscape Navigator. Of course, other methods ofconnecting to network 195 may be used. User 160 inputs commands to opena protected process (e.g. a browser program in this example) at step210. At step 220, 1^(st) processor 120 instructs 2^(nd) processor 140 toinitiate the protected process and open one or more process windows.Second processor 140, in conjunction with memory 130, then interactswith the network 195 via network interface device 190, receiving andtransmitting the data necessary to execute the desired protectedprocess, such as browsing the internet or communication via e-mail.Second processor 140 and memory 130 act as a separate computer system,interacting with network 195 while isolating network 195 from the firstprocessor 120 and memory 110. Memory 130 may store critical applicationand system files required by second processor 140 to execute the desiredtasks. Memory 130 also stores data necessary to carry out the desiredprotected process. In the example of FIG. 2, first processor 120receives user interface data from user 160, and passes user interfacedata to second processor 140 when the protected process window isselected or active, illustrated at step 230. User interface data, suchas keystrokes for example, may be advantageously encrypted by P1 120before passing the data to P2 140, with network interface device 190possibly decrypting the data prior to transmitting the data to network195. Encrypting, for example keystroke data, may disrupt the efforts ofspyware programs designed to store user keystrokes for latertransmission to a host computer. Second processor 140 generates videodata for the protected process window(s) and passes the video data tovideo processor 170, for eventual display on video display 180, shown atstep 240. Video processor 170 then interleaves the video data from allprocesses being executed by first processor 120 and second processor140, at step 250. While there are many applicable methods for displayingvideo data from multiple sources, one such method was described in U.S.Pat. No. 5,751,979, entitled “Video hardware for protected,multiprocessing systems”, previously incorporated by reference.

In accordance with a preferred embodiment of the present invention, ifany malware is downloaded from network 195, it is stored in memory 130,and/or run as a process on second processor 140. In the configuration ofcomputer system 100, any downloaded malware is rendered incapable ofself initiating access to memory 110 or first processor 120, becausesecond processor 140 is rendered incapable of initiating access to 110and 120 without a direct or stored command from user 160. Any malwareinfection is thus confined. If a malware attack corrupts files and/ordisrupts the operation of the 130-140 system, the user may easily shutdown the corrupted process and restore the corrupted files from aprotected image stored on memory 110, for example.

In accordance with a preferred embodiment of the present invention, theoperating system controlling the 110-120 system may be different from anoperating system controlling the protected 130-140 system. Conversely, acommon operating system may control both the 110-120 system and theprotected 130-140 system.

A user 160 may find it desirable to transfer files from the protected130-140 system to the 110-120 system. User 160 may find it necessary,for example, to transfer an attachment from an e-mail message stored onmemory 130 to the 110-120 system for further processing, modification,etc. In this case, the computer system 100 may go through a processwhereby a file or other data is transferred from the 130-140 system tothe 110-120 system, exemplified by the process 300 illustrated in FIG.3.

In accordance with a preferred embodiment of the present invention, atstep 310, user 160 selects one or more data files to download fromnetwork 195. The desired data is downloaded to the 130-140 system atstep 320. The user 160 then directs computer system 100 to move thedesired file(s) from the 130-140 system to the 110-120 system at step330. P1 120 may then perform a malware scan on the desired files, eitherin real time as the data is being transferred, or while the data stillresides in M2 130 (step 340). Alternatively, P2 140 may perform themalware scan. At step 350, processor P2 140 (or P1 120) determines ifmalware has been detected in the desired file(s), and thus P1 120 makesa decision. If no malware is detected, the file(s) are moved or copiedonto M2 110 at step 360. If malware is detected, the data file(s) arequarantined on M2 130, and the data file(s), if transferred to M1 100,are erased or quarantined. Once malware is detected, the user 160 may bealerted of the detection (step 370). Either as a result of user input orstored configuration commands, the infected file(s) are deleted,cleaned, or quarantined on M2 130, at step 380.

The user 160 would of course understand the dangers inherent intransferring downloaded files from the 130-140 system to the 110-120system. For example, the user's anti-malware software may not be up todate, or may simply be unable to detect certain types of malware. Also,the malware itself may be so new that the user's anti-malwaredefinitions have not been updated as yet. Therefore the user may wish tokeep the files on the 130-140 system for some period of time.Consequently, it may be desirable to have resident on the 130-140 systema variety of application software such as readers, thereby allowing theuser to examine the files without risking transferring the files to the110-120 system. These reader programs, such as Adobe Acrobat Reader, bythe Adobe Systems Corporation, or Visio reader, by the MicrosoftCorporation, are typically subset application programs of the fullfeatured application programs, and may thus require far less memoryspace than the full application. Additionally, software companies oftendistribute the reader programs for free (or a nominal fee), therebyproviding advertising for the full featured application in the hopesthat it will be eventually purchased by the user. This readerapplication may be opened and executed on the 130-140 system in a mannersimilar to the process described in FIG. 2. Of course, a user 160 mayalso load a full application into the 130-140 system, enablingprocessing and modification of a downloaded file fully in the protectedspace, without risking a transfer of the file to the 110-120 system.

In the event the 130-140 system becomes infected with malware, the user160 may wish to clean the 130-140 system. This cleaning may beaccomplished by running an anti-malware application on the 130-140system. However, if the infection is too severe for the anti-malwaresoftware to clean, or if the malware is undetectable by the user'santi-malware software, the user may wish to restore critical systemfiles (or other user data files) for the 130-140 system from a protectedimage stored on M1 100, for example. It is of course understood that thecritical system file image may be restored from another device, such asa removable drive or a CD, for example. The user may however consider itmore convenient to restore the critical system files from an image on M1100.

In accordance with a preferred embodiment of the present invention, anexemplary process for restoring M2 130 from M1 110 is illustrated byprocess 400 in FIG. 4. At step 410, malware is detected or suspected tobe infecting the 130-140 system. The user instructs P1 120 to reloadcritical system files onto M2 130 from a protected image on M1 110, atstep 420. Depending on the severity of the infection, P1 120 may scanall or part of the data contained on M2 130 for malware, and may scanall processes currently running on P2 140. The scan may be initiated bydirect instructions from the user, or by stored configuration commands,for example (step 430). P1 120 may delete all or part of the datacontained on M2. P1 120 may also reset P2 140 and/or delete the contentsof any RAM communicatively coupled to P2 140 (step 440). Once the130-140 system has been adequately cleaned, clean critical system filesare loaded onto M2 130 from any of the sources previously mentioned,preferably an image stored on M1 110 (step 450). The 130-140 may now berebooted and/or reinitialized from the clean critical system files. Inan extreme case where the malware resists deletion by the operatingsystem, the user may elect to do a low level format on the M1 110 memoryin order to ensure that the malware infection has been cleaned.

In accordance with a preferred embodiment of the present invention, auser 160 may consider it advantageous for the 130-140 system to beautomatically reinitialized from clean critical system files when aprotected process window is opened. In this way, the new protectedprocess is much less likely to be affected by an infection from aprevious protected process session. Of course, a user may have aplurality of protected processes open and running during a protectedprocess session. It may only be necessary to automatically reinitializefrom clean critical system files when the first protected process isopened during a session. Subsequent protected processes may not requireautomatic re-initialization from clean critical system files. Anexemplary automatic re-initialization from clean critical system filesis illustrated by steps 510, 520 and 530 in FIG. 5a. Additionally,processes running on P2 140 may be automatically scanned and comparedwith an allowed process list, particularly as a protected process isstarted up. If any process is detected which is not on the allowed list,the user may be alerted that a possible malware infection has occurred.A user may then choose to scan or clean the system, or inspect theunknown process to determine if the process will be allowed to continueto execute. A user may also update the list of allowed processes fromtime to time as new, legitimate processes are added, for example, by abrowser software update.

In accordance with a preferred embodiment of the present invention, auser 160 may consider it advantageous for the 130-140 system to beautomatically cleaned when a protected process window is closed. In thisway, any detected or undetected malware infections are much less likelyto affect a future protected process session. It may only be necessaryto automatically clean the 130-140 system when the last protectedprocess is closed during a session. An exemplary automatic cleaningprocess is illustrated by steps 540, 550, 560, 570 and 580 in FIG. 5b.The memory M2 130 and processor P2 140 may be automatically scanned formalware infections as the protected process session closes. Infectedfiles may be deleted or quarantined automatically. Additionally, theremay be a variety of files that a user may wish to have automaticallycleaned or deleted upon closing a protected process session. Forexample, temporary internet files, cookies, browser plug-ins, etc., maybe deleted or scanned for malware automatically. A user may also wish tohave websites that contributed to a malware infection noted, and maywish to place the offending websites in a block list, such that theoffending websites cannot be accessed in the future without the userspecifically authorizing access. As part of the malware scan, themalware scanner may automatically log the offending website(s), andblock future access. Also, the P2 140 processor and any associatednon-volatile memory may be reset and/or erased as the protected processsession is closed. The exemplary automatic cleaning process illustratedin FIG. 5b may therefore reduce the risk of a malware infection beingcarried over to a future protected process session.

Interactive network processes such as interactive gaming have becomevery popular in recent years. In current interactive gaming processes, auser may log onto a game host located on network 195, or connect toother computers whose users wish to participate in the game. Computergames, such as Quake 3. Arena, by Id Software Incorporated, or Call ofDuty, by Activision Incorporated, are just two examples of the plethoraof games available that may be played interactively over a network. Theuser's computer system typically provides the bulk of the processingpower and video graphics generation required to display the often fastmoving and richly detailed three dimensional game environments.Information about the current and new state of the game is exchangedbetween various users' computer systems, often in real time. With thistype of process, a relatively modest amount of data is required to beexchanged between users, or a user and the host, with the bulk of theprocessing, data manipulation, and graphics generation being handled bythe user's local machine. However, this open network connection maybecome a conduit for malware practitioners to exploit, allowing malwareto be downloaded onto a user's computer during a gaming session, oftenwithout the user being aware of the malware transfer. It would beadvantageous, therefore, for a computer system to be much lesssusceptible to malware attacks during gaming sessions.

In accordance with a preferred embodiment of the present invention, anexemplary process flow 600, illustrated in FIG. 6, allows an interactivenetwork process, such as online gaming, to be carried out on computersystem 100. A user initiates an interactive network process via 2^(nd)processor P2 140 (step 610). P2 140 receives interactive network processstatus data from network connection (step 620). P2 140 informs 1stprocessor P1 120 that interactive network process status data isavailable (step 630). P1 120 retrieves interactive network processstatus data from P2 140 and uses the status data to update theinteractive network process and update video display (step 640). P1 120then passes the updated interactive network process status data to P2140 (step 650). P2 140 then sends the updated interactive networkprocess status data to the network via network connection 195 (step660). The exemplary process 600, or a process functionally equivalent,is carried out continuously as long as the interactive process isrunning.

By using exemplary process 600 (or an equivalent), computer system 100is capable of actively deciding what data to download and use, and whatdata to discard or scan for malware. The game status data is bufferedprior to loading it onto the 110-120 system. The 110-120 system may beadvantageously configured to only accept game status information in theproper format, thereby minimizing the chance that a malware practitionercould deceptively load malware onto the 110-120 system.

Additionally, computer system 100 could be configured such that system130-140 is powerful enough to process the interactive network processwithout exchanging information with the 110-120 system. Such aconfiguration may be more secure, as a conduit between the 110-120system and the 130-140 system may not be necessarily opened. The 130-140system may contain all the necessary files to facilitate the interactivenetwork process. Higher end computers, workstations, and servers oftencontain dual (or more) processors, such as the Mac G5, manufactured bythe Apple Computer Corporation, or a single physical processor with amultiple processor core. Often, the processors in these multi-processormachines are of equal or comparable processing power. In such aconfiguration, one processor may be dedicated to performing functionsequivalent to those described for P1 120, with a second processorperforming the functions equivalent to those described for P2 140. Acomputer system 100 employing multiple processors may be advantageouslyconfigured such that one of the processors is dedicated to protectedprocesses only when a network process is active. When a user is notaccessing a network, the multiple processors in a computer system may bededicated to other processes, such as performing complex calculations orsimulations, or running complex non-network interactive gamingprocesses, for example. Alternatively, the computer system 100 may beconfigured such that the 110-120 system simply transfers required filesto the video processor 170 or the 130-140 system at the appropriate timeto facilitate the interactive network process. The 110-120 system couldbe commanded to retrieve and transfer the files at the command of thevideo processor, or at the command of the 130-140 system, or acombination of both.

In accordance with embodiments of the present invention, computer system100 may be configured in a variety of ways, while still remaining withinthe spirit and scope of the present teachings. One such exemplaryembodiment is illustrated in FIG. 7. Subsystem 700 of computer system100 comprises a video processor 770, a second processor 740, and asecond memory data storage area 730. The demarcation line illustrated bysubsystem 700 may be either physical or logical. For example, subsystem700 may comprise an add-on card, such as a high end video card, or avideo/network card. If configured in this exemplary manner, a user couldupgrade an existing computer system to take advantage of the teachingsof the present invention. Subsystem 700 may be plugged into the mainmotherboard of an existing computer, for example. The motherboardconnector may be already communicatively coupled to the 110-120 system,thereby facilitating the system upgrade. The network interface device190 may be connected directly to subsystem 700, or network interfacedevice 190 could be integrated as part of subsystem 700. Memory datastorage area 730 may comprise any of the volatile and/or non-volatilememory types previously described, or any combination thereof, or anysuitable memory storage medium, for example. Alternatively, subsystem700 may be located on the motherboard, as opposed to an add-on card.Further still, portions of subsystem 700, such as video processor 770,and/or second processor 740, for example, may be integrated togetherwith P1 120. It is understood that functions described herein may beconfigured in a wide variety of ways, without departing from the spiritand scope of the present teachings.

In accordance with a preferred embodiment of the present invention, analternate configuration for computer system 100 is illustrated in FIG.8. Subsystem 800 of computer system 100 comprises a video processor 870,a second processor 840, and a second memory data storage area 830. Thedemarcation line illustrated by subsystem 800 may be either physical orlogical. For example, subsystem 800 may comprise an add-on card, such asa high end video card, or a video/network card. If configured in thisexemplary manner, a user could upgrade an existing computer system totake advantage of features of the present invention. In the exemplaryembodiment of FIG. 8, second processor 840 and video processor 870 areintegrated together, perhaps on a common integrated circuit. Such aconfiguration may help to reduce the cost of subsystem 800, and/orimprove the performance. Additionally, a circuit designer may find itadvantageous to integrate 840 and 870 together to facilitatecommunication between the functions. It is understood that such anintegration of functions may create a device in which an external usermay find it difficult to distinguish where the function of 870 ends andthe function of 840 begins, and vice versa. Such a device, however,would remain within the spirit and scope of the present teachings.

In accordance with a preferred embodiment of the present invention, analternate configuration for computer system 100 is illustrated in FIG.9. Computer system 100 comprises a video processor 970, processor 960,and a memory data storage area 950. Processor 960 may further comprisemultiple processor cores, illustrated by 1^(st) processor 920 and 2^(nd)processor 940. It is understood that processor 960 may contain more than2 processor cores. Microprocessors manufactured with multiple processorcores are becoming common in the industry, and such multi-coreprocessors may be particularly advantageous when used in accordance withthe present teachings. Memory data storage area 950 may further comprise1^(st) memory data storage area 910 and 2^(nd) memory data storage area930. Memory areas 910 and 930 may comprise, for example, differentpartitions on a single hard drive, and/or different address ranges in aRAM bank.

Referring again to FIG. 9, the functions carried out by processors 920and 940 may comprise separate, secure logical processes executing on thesame physical processor. For example, a first logical process maycomprise executing instructions necessary to carry out the functions ofan operating system, or the first logical process may comprise executinginstructions necessary to carry out the functions of a first computerprogram, including but not limited to a word processor. A second logicalprocess may comprise executing instructions necessary to carry out thefunctions of a web browser program, or may comprise executinginstructions necessary to carry out the functions of an instantmessenger program, for example. A computer system 100 constructed inaccordance with the principles of the present invention would be capableof disallowing a secure logical process, such as the second logicalprocess described above, access to certain memory spaces, and/ordisallowing a secure logical process from initiating access to anotherlogical process. For example, the functions carried out by P2 140(FIG. 1) may comprise a secure logical process, which may be configuredto be unable to automatically initiate access to either M1 110 oranother logical process performing the functions of P1 120.Additionally, memory areas 910 and 930 may comprise separate, isolatedmemory zones within a common physical memory space, such as separatepartitions within the same hard drive, for example.

Some malware programs are designed to secretly record user inputcommands (such as keystrokes, for example), then send the informationback to a host computer. This type of malware is capable of stealingimportant user information, such as passwords, bank account numbers,social security numbers, driver's license numbers, credit accountnumbers, etc. Theft of such personal information could result in thetheft of actual assets (money or securities, etc.) or perhaps used foridentity theft, among other malicious intents. Clearly, a computersystem capable of ensuring the protection of such sensitive informationwould be desirable.

In accordance with an embodiment of the present invention, a computersystem is configured such that attempts by malware to record and reportdata entry by the computer user via input devices such as keyboards,mouse clicks, microphones, or any other data input devices areeffectively blocked. Encryption of user input data, such as keystrokes,is an effective means of protecting such data from theft by malware.Specific techniques used for data encryption and decryption are wellknown in the art, and need not be discussed further here. There are manyexamples in the art that may be examined to better understand variousencryption/decryption techniques and the use of encryption/decryption incomputer systems. Among these are U.S. Pat. No. 6,581,162 entitled“Method for securely creating, storing and using encryption keys in acomputer system.” issued to Angelo, et al., and U.S. Pat. No. 6,134,661entitled “Computer network security device and method.” Issued to Topp.The aforementioned patents have been previously incorporated byreference.

In accordance with the present teachings, a method of operating acomputer system involving data encryption is described. In step 1010, auser opens a protected process where some level of data encryption isdesired, for example, the encryption of sensitive user interface data oruser files. Other data may be encrypted as desired. At step 1020,processor P1 120 instructs processor P2 140 to initiate a protectedprocess and open a process window. P1 120 encrypts the sensitive dataand passes the user interface data to P2 140 when a P2 140 window isselected or active (step 1030). P2 140 generates video data for the P2140 process window(s) and passes the video data to video processor 170(step 1040). Video processor 170 decrypts the sensitive data andinterleaves the video data from all P1 and P2 processes (step 1050). P2140 passes the encrypted sensitive data to network interface device 190(step 1060). Network interface device 190 decrypts the sensitive dataand passes the decrypted sensitive data to network 195. Of course, othermethods of operating a computer system in which data is encrypted priorto being passed to P2 140, and decrypted after leaving the control of P2140, are within the spirit and scope of the present teachings.

In accordance with a preferred embodiment of the present invention, datadesired to be protected is encrypted prior to sending the data toprocessor P2 140, which may be running one or more malware processes.Processor P2 140 does not have visibility to the decryption keys, and istherefore unable to decrypt the data. Data may be decrypted by networkinterface device 190 prior to forwarding the data on to network 195.Conversely, encrypted data may be sent directly over the network fordecryption by another computer system, including, for example, aninternet banking host computer. Decryption keys may be passed between P1120 and network interface device 190 via a communication link 191. Videoprocessor 170 may decrypt the data prior to displaying the data on videodisplay 180, with decryption keys possibly passed between P1 120 andvideo processor 170 via a communication link 171. Conversely, data maybe passed directly to video processor 170 via a communication link 151.

A user 160 may wish to encrypt just a portion of the data destined forthe network, such as passwords, credit card numbers, etc. Conversely, auser may wish to encrypt large blocks of data, such as e-mails or largeapplication files containing sensitive text and/or graphics.Instructions may be passed to network interface device 190 directing 190to decrypt one or more specific data blocks prior to sending the datablocks to network 195. Conversely, instructions may be passed to networkinterface device 190 directing 190 to pass one or more specific datablocks to network 195 without decryption.

While this invention has been described with reference to illustrativeembodiments, this description is not intended to be construed in alimiting sense. Various modifications and combinations of theillustrative embodiments, as well as other embodiments of the invention,will be apparent to persons skilled in the art upon reference to thedescription. It is therefore intended that the appended claims encompassany such modifications or embodiments.

1. A method of operating a computer system having at least a first andsecond electronic data processor capable of executing instructions usinga common operating system, comprising the steps of: executinginstructions in a first logical process within the common operatingsystem using the first electronic data processor, wherein the firstlogical process is capable of accessing data contained in a first memoryspace and a second memory space; executing instructions in a secondlogical process within the common operating system using the secondelectronic data processor, wherein the second logical process is capableof accessing data contained in the second memory space, the secondlogical process being further capable of exchanging data across anetwork of one or more computers; displaying, in a windowed format on adisplay terminal, data from the first logical process and the secondlogical process, wherein a video processor is adapted to combine datafrom the first and second logical processes and transmit the combineddata to the display terminal; wherein the computer system is configuredsuch that the second electronic data processor is operating in aprotected mode and data residing on the first memory space is protectedfrom corruption by a malware process downloaded from the network andexecuting as part of the second logical process.
 2. The method of claim1 wherein the first memory space and the second memory space compriseseparate regions of a common memory space.
 3. The method of claim 1wherein the second logical process is selected from the group consistingof; an electronic mail process, an instant messaging process, aninternet browser process, an interactive gaming process, a virtualprivate network (VPN) process, and a reader application process.
 4. Themethod of claim 1 wherein the first logical process receives userinterface data, and passes the user interface data to the second logicalprocess.
 5. The method of claim 1 wherein the first and secondelectronic data processors are part of a multi-core electronic dataprocessor.
 6. The method of claim 1 and further comprising the step ofrestoring at least one corrupted data file residing on the second memoryspace from an image residing on the first memory space.
 7. The method ofclaim 1 and further comprising the step of automatically deleting atleast one data file residing on the second memory space when the secondlogical process is terminated.
 8. The method of claim 1 and furthercomprising the steps of: encrypting data with the first logical process;transferring the encrypted data from the first logical process to thesecond logical process; transferring the encrypted data from the secondlogical process to the network interface device.
 9. The method of claim8 and further comprising the steps of: decrypting the data with thenetwork interface device; transferring the decrypted data from thenetwork interface device to the network.
 10. A multi-processor computersystem using a common operating system, comprising: a first electronicdata processor capable of executing instructions using the commonoperating system and communicatively coupled to a first memory space anda second memory space; a second electronic data processor capable ofexecuting instructions using the common operating system andcommunicatively coupled to the second memory space and to a networkinterface device, wherein the second electronic data processor iscapable of exchanging data across a network of one or more computers viathe network interface device; a video processor adapted to combine videodata from the first and second electronic data processors and transmitthe combined video data to a display terminal for displaying thecombined video data in a windowed format; wherein the computer system isconfigured such that the second electronic data processor is operatingin a protected mode and data residing on the first memory space isprotected from corruption by a malware process downloaded from thenetwork and executing on the second electronic data processor.
 11. Thecomputer system of claim 10 wherein the first memory space and thesecond memory space comprise separate regions of a common memory space.12. The computer system of claim 10 wherein the first and secondelectronic data processors are part of a dual processor computer system.13. The computer system of claim 10 wherein the second electronic dataprocessor and the video processor are co-located on a circuit card, thecircuit card being communicatively coupled to the first electronic dataprocessor.
 14. The computer system of claim 10 wherein the computersystem is configured such that the first electronic data processor isprotected from executing instructions initiated by a malware processdownloaded from the network and executing on the second electronic dataprocessor.
 15. A multi-processor computer system using a commonoperating system, comprising: at least a first and second electronicdata processor capable of executing instructions using the commonoperating system; at least a first and second memory space; a videoprocessor; wherein the first and second electronic data processors,first and second memory space, and video processor are configured forperforming the steps of: executing instructions in a first logicalprocess with the first electronic data processor, wherein the firstlogical process is executing within the common operating system and iscapable of accessing data contained in the first memory space and thesecond memory space; executing instructions in a second logical processwith the second electronic data processor, wherein the second logicalprocess is executing within the common operating system and is capableof accessing data contained in the second memory space, the secondlogical process being further capable of exchanging data across anetwork of one or more computers; displaying, in a windowed format on adisplay terminal, data from the first logical process and the secondlogical process, wherein the video processor is adapted to combine datafrom the first and second logical processes and transmit the combineddata to the display terminal; wherein the computer system is configuredsuch that the second electronic data processor is operating in aprotected mode and data residing on the first memory space is protectedfrom corruption by a malware process downloaded from the network andexecuting as part of the second logical process.
 16. The computer systemof claim 15 wherein the computer system is further configured such thatthe first logical process is protected from executing instructionsinitiated by a malware process downloaded from the network and executingas part of the second logical process.
 17. The computer system of claim15 and further comprising: at least one network interface device capableof exchanging data with both the second logical process and with thenetwork.
 18. The computer system of claim 17 wherein the networkinterface device is capable of decrypting data received from the secondlogical process and transmitting the decrypted data to the network whilepreventing the second logical process from accessing the decrypted data.19. The computer system of claim 15 wherein the at least one electronicdata processor is selected from the group consisting of: a multi-coreelectronic data processor; dual electronic data processors; and multipleelectronic data processors.
 20. The computer system of claim 15 andfurther configured for performing the step of: restoring at least onecorrupted data file residing on the second memory space from an imageresiding on the first memory space.
 21. A computer program productcomprising a program code stored in a non-transitory computer readablemedium configured to: execute instructions in a first logical processwith a first electronic data processor employing a common operatingsystem, the first logical process being configured to access data in afirst memory space and a second memory space; execute instructions in asecond logical process with a second electronic data processor employingthe common operating system, the second logical process being configuredto access data in the second memory space and exchange data across anetwork of one or more computers; generate data from the first logicalprocess and the second logical process for display; and operate thesecond electronic data processor in a protected mode such that dataresiding in the first memory space is protected from corruption by amalware process downloaded from the network and executing as part of thesecond logical process.
 22. The computer program product of claim 21wherein said program code stored in said non-transitory computerreadable medium is further configured to protect the first logicalprocess from executing instructions initiated by the malware processdownloaded from the network and executing as part of the second logicalprocess.
 23. The computer program product of claim 21 wherein the firstand second electronic data processors are part of a multi-coreelectronic data processor.
 24. The computer program product of claim 21wherein said program code stored in said non-transitory computerreadable medium is further configured to restore at least one corrupteddata file residing on the second memory space from an image residing onthe first memory space.
 25. The computer program product of claim 21wherein said program code stored in said non-transitory computerreadable medium is further configured to automatically delete at leastone data file residing on the second memory space when the secondlogical process is terminated.